CVE-2024-53384 – This DOM Clobbering vulnerability in tsup v8.3.... (How to Fix)

📋 TL;DR

This DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to inject malicious scripts that can execute arbitrary code when users interact with affected web applications. It affects any application using this specific version of tsup's bundling tool, potentially compromising user sessions and data.

💻 Affected Systems

Products:

tsup

Versions: v8.3.4

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects projects using tsup for bundling with the specific vulnerable component in cjs_shims.js

📦 What is this software?

Tsup by Egoist

View all CVEs affecting Tsup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Cross-site scripting (XSS) attacks leading to session hijacking, credential theft, and client-side data manipulation.

🟢

If Mitigated

Limited impact with proper content security policies and input sanitization preventing script execution.

🌐 Internet-Facing: HIGH - Web applications using vulnerable tsup versions are directly exposed to client-side attacks.

🏢 Internal Only: MEDIUM - Internal applications could be exploited through phishing or compromised internal users.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gist, exploitation requires user interaction with crafted web page

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v8.3.5 or later

Vendor Advisory: https://github.com/egoist/tsup/security/advisories

Restart Required: No

Instructions:

1. Check current tsup version: npm list tsup
2. Update tsup: npm update tsup@latest
3. Rebuild your project: npm run build
4. Verify update: npm list tsup

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add strict CSP headers to prevent script execution from untrusted sources

Content-Security-Policy: script-src 'self'

Input Sanitization

all

Sanitize all user inputs and implement output encoding

🧯 If You Can't Patch

Implement strict Content Security Policy with script-src directives
Use subresource integrity (SRI) for all external scripts

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list tsup | grep 8.3.4

Check Version:

npm list tsup

Verify Fix Applied:

Verify tsup version is 8.3.5 or higher: npm list tsup | grep -v 8.3.4

📡 Detection & Monitoring

Log Indicators:

Unusual script loading patterns
DOM manipulation events from unexpected sources
Import.meta.url usage with document.currentScript

Network Indicators:

Suspicious script sources in HTTP requests
Unusual Content-Type headers for scripts

SIEM Query:

source="web_logs" AND (uri="*.js" OR uri="*.ts") AND (message="import.meta.url" OR message="document.currentScript")

📊 Metadata

CVE ID: CVE-2024-53384

CVSS v3 Score: 5.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.09% exploit probability (24.9th percentile)

Published: March 3, 2025

Last Updated: July 7, 2025

🔗 References

https://gist.github.com/jackfromeast/36f98bf7542d11835c883c1d175d9b92 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53384, you might also want to check these: